Microsoft Lync keychain password prompt on login

One of my users ran into an issue recently when launching Microsoft Lync. When the Lync application logged into the Lync server, a Microsoft Lync wants to use OC_KeyContainer_username@company.com. Please enter the keychain password prompt appeared.

The curious thing was that the keychain prompt would not accept the user’s current login password. When I checked, the user’s login keychain was unlocked and using the current password, so it didn’t appear to be caused by the login keychain password issues that I normally deal with.

After some research, I was able to find the answer and get this issue fixed. See below the jump for the details.

What caused the password prompt?:

Microsoft Lync creates a keychain file to store encryption keys. The file is physically stored in /Users/username/Library/Keychains and is named something similar to OC_KeyContainer__username@company.com.

The password for this keychain is not tied to the user’s account password and it looks like the Lync program itself will automatically generate a randomized password for it. The password to unlock that keychain is then stored in the user’s login keychain.

Occasionally, something in Lync happens that causes this keychain to refuse to work properly. In that event, a pop-up may appear requesting a password.

Removing the OC_KeyContainer__username@company.com keychain file will force Lync to create a new one.

When Lync is relaunched, it will generate a new OC_KeyContainer__username@company.com keychain file with a new randomized password and store it in /Users/username/Library/Keychains.

An interesting thing about this OC_KeyContainer keychain and associated password entry is that the persistence of it appears to be tied to whether or not Lync is set to save the user’s account password.

If the password is set not to be saved:

The OC_KeyContainer__username@company.com keychain and OC_KeyContainer__username@company.com password entry in the user’s login keychain are created when Lync connects to the Lync server.

Once the Lync application is quit, the OC_KeyContainer__username@company.com keychain and application password entry are automatically deleted. On relaunch, a new OC_KeyContainer__username@company.com keychain and application password entry in the user’s login keychain are created.

If the password is set to be saved:

If they do not already exist, the OC_KeyContainer__username@company.com keychain and OC_KeyContainer__username@company.com password entry in the user’s login keychain are created when Lync connects to the Lync server. A Microsoft Lync password entry is also created in the user’s login keychain if one does not already exist.

Once the Lync application is quit, the OC_KeyContainer__username@company.com keychain and application password entry persist and are not automatically deleted. On relaunch, Lync will look for and re-use the existing OC_KeyContainer__username@company.com keychain and OC_KeyContainer__username@company.com password entry.

So, thanks for the article, Microsoft referred me to this to troubleshoot some issues with MAC. However, my users do not have the file @ the location above (step 3) … they are running MAC 10.9.1 and do not have the OC file @ /Users/username/Library/Keychains. Any ideas?

I recently updated Office and have the OC-Keychain popup issue with Lync. However, I too do not have the file in my /Library/Keychains folder or in the KeyChain Utility app. So I cannot take the steps outlined. I see Greg S had a similar issue in Feb. Any fixes or ideas? I have tried a a number of things. I even reinstalled Lync. That didn’t work.

It worked for me. The specified path was not available to me either through Finder. I was able to access it through terminal. go to terminal and navigate to below path.
/Users//Library/Keychains. you will find the OC_Keycontainer_* file in the path. Now just use ‘rm OC_KeyContainer__email@company.com‘ . That will delete the file.

You’ll likely not be able to go to userid/Library/Keychains by just clicking through the Finder, you need to get there using Finder’s menu Menu->Go->Go to Folder and type in ‘~/Library/Keychains’ (you can copy paste that). Or Shift+Command+G and put in the same thing. That’ll take you to /Users/’your userid’/Library/Keychains.

Lisa, you are the best! I have been trying every fix I could find and you were the first to give the specific detail on Shift+Command+G and I was finally able to find that #$%@@#$ file! Thank you thank you thank you!!!

You’ll likely not be able to go to userid/Library/Keychains by just clicking through the Finder, you need to get there using Finder’s menu Menu->Go->Go to Folder and type in ‘~/Library/Keychains’ (you can copy paste that). Or Shift+Command+G and put in the same thing. That’ll take you to /Users/’your userid’/Library/Keychains.

Rich, you’re a beast! Thanks again and as always for posting great info.

I have a slight twist on this issue and wonder if it’s related. When starting Excel, PowerPoint, Outlook or OneNote, I get a similar keychain error that reads ” wants to use your confidential information stored in ‘Microsoft Identity 4F7322BE-C519-4E56-9738-1C86EEB7244D’ in your keychain”. The item is in my unlocked login keychain but I can’t monify it to add the last few apps (unrecognized p/w). Then I realized that ALL my keychain items are inaccessible even though my login keychain is unlocked. I noticed this shortly after my in place upgrade to El Capitan. Are these issues related? TIA.

It worked for me. The specified path was not available to me either through Finder. I was able to access it through terminal. go to terminal and navigate to below path.
/Users//Library/Keychains. you will find the OC_Keycontainer_* file in the path. Now just use ‘rm OC_KeyContainer__email@company.com‘ . That will delete the file.

Thank you. That worked for me too. However, I did not see the ‘Library’ folder at first. Once I was inside my home folder, I had to click the ‘gear’ icon in Finder than choose the menu option to ‘Show View Settings’ the check the box to ‘Show Library’. That worked for me. Thank you.

For what it’s worth this happened to me after upgrading one of my test machines to macOS 10.12 GM earlier today (either that or my enabling unlock with Apple Watch – but not sure that’s possible). Thanks Rich!

I upgraded to Sierra last week and it Lync continued to work numerous times after… until I restarted this morning. Then this issue. Following the removal instructions for the file did not work. What DID work for me was to completely uninstall Lync (I have Clean My Mac 3 and did the uninstall from there.) I reinstalled Lync and it took a while (spinner for about 2 minutes?) but it connected and is up and running.

I updated last night… I have no OC keychains at all and my password is correct yet it gives me this prompt. I try to enter my current password for the LYNC account and it denies me. We run parallels and when I go to the LYNC on that side everything works so the passwords are correct for everything. I guess Ill have to wait on IT to give me a copy of the disk to reinstall?

For those having trouble:
To find the Keychains Folder – go to Finder, hold the “option” key and then click the “Go” menu at the top and you will see the Libraries folder appear. Keychains is in there.

When I went into my Library/Keychains folder, that file name was not there: OC_KeyContainer__username@company.com. I am still getting the popup. Any other suggestions? I just recently upgraded both my OS and to CC2018 and had to update my passwords today. Lync automatically logged out and wanted me to enter my new password and that’s when the message started appearing. Thanks for any help.

It is probably way too late for you, but in case anyone else stumbles over this, since I too ran into it a year later. I too could not find that entry in keychains and found that for some reason I needed to go through Terminal to access the library and library/keychains directory on my machine, but from there I was able to use the ls command to see that the OC_Keycontainer… file was in fact there and delete it.